Threat Research

Cat’s Got Your Files: Lynx Ransomware

TheDFIR
The intrusion began with valid Remote Desktop Protocol (RDP) logons using compromised credentials and progressed through rapid lateral movement, domain account creation, discovery with SoftPerfect NetScan and NetExec, data collection and exfiltration to temp.sh, and culminated in deletion of backups and deployment of Lynx ransomware across backup and file servers. The activity used paid/licensed tooling and bulletproof-hosted infrastructure (Railnet/Virtualine) with a Time to Ransomware of ~178 hours. #Lynx #temp.sh

Keypoints

  • Initial access via a single successful RDP login from 195.211.190[.]189 using valid credentials with no brute force evidence, implying pre-compromised credentials or initial access broker involvement.
  • Rapid lateral movement to a domain controller within ten minutes using a separate compromised domain admin account and creation of multiple look-alike accounts added to privileged groups for persistence and privilege access.
  • Extensive network and system discovery using SoftPerfect NetScan and NetExec to enumerate hosts, shares, hypervisors, and backup infrastructure.
  • Collection of sensitive files from multiple network shares, compressed with 7-Zip, and exfiltrated to the temporary file-sharing service temp.sh.
  • Attacker connected to backup servers, deleted backup jobs (Veeam), and deployed Lynx ransomware (w.exe) across multiple backup and file servers via RDP, inhibiting recovery.
  • Attacker used two source IPs (195.211.190[.]189 and 77.90.153[.]30) associated with Railnet LLC/Virtualine bulletproof hosting and consistently reused the same hostname DESKTOP-BUL6K1U.
  • Artifacts and tool hashes identified: netscan.exe, nxc.exe (NetExec), and w.exe (Lynx) with multiple SHA256 hashes provided for detection and hunting.

MITRE Techniques

  • [T1078 ] Valid Accounts – Used pre-compromised valid user and domain admin credentials for initial RDP access and lateral movement (“successful RDP logon…indicating the threat actor likely possessed valid credentials before the activity occurred”).
  • [T1021.001 ] Remote Desktop Protocol – Performed most post-compromise activity and lateral movement via RDP sessions to domain controllers, hypervisors, backup and file servers (“the threat actor conducted most post-compromise activity through RDP sessions…”).
  • [T1046 ] Network Service Discovery – Used SoftPerfect NetScan and NetExec to scan IP ranges and identify hosts/services (“SoftPerfect Network Scanner…performed network discovery” and “nxc.exe smb REDACTED/24 -u REDACTED -p REDACTED”).
  • [T1135 ] Network Share Discovery – Enumerated and browsed network file shares and checked write access (NetScan created delete[.]me files on shares) (“Enabled share scanning with checks for security info, share writing and diskspace” and “delete[.]me file on each discovered share”).
  • [T1560.001 ] Archive via Utility – Compressed collected files using 7-Zip to create archives prior to exfiltration (“the actor compressed the contents into archives” and “7zG.exe archiving command lines…Add to Archive functionality”).
  • [T1567 ] Exfiltration Over Web Service – Exfiltrated archives to temporary file-sharing service temp.sh via the site’s /upload feature (“exfiltrated them to the temporary file-sharing service temp[.]sh” and “references to the ‘/upload’ URI”).
  • [T1219 ] Remote Access Software – Installed AnyDesk service on the domain controller to establish persistence (“installed the AnyDesk remote access client on the domain controller…AnyDesk access was never used during the remainder of the intrusion”).
  • [T1543.003 ] Windows Service – AnyDesk installation created a service for persistence on the domain controller (“dropped and installed the remote desktop application AnyDesk, which created a service for persistence”).
  • [T1059.003 ] Windows Command Shell – Executed commands and ransomware via cmd.exe across hosts (“Throughout the intrusion, the threat actor used Windows Command Shell (cmd.exe) … and executed ‘w.exe’ on each server using cmd”).
  • [T1012 ] Query Registry – Queried registry keys to identify Hyper-V hostnames and other configuration (“reg query HKEY_LOCAL_MACHINESOFTWAREMicrosoftVirtual MachineGuestParameters”).
  • [T1082 ] System Information Discovery – Ran systeminfo and related commands to gather host details (“Systeminfo” and repeated uses of systeminfo during discovery activities).
  • [T1490 ] Inhibit System Recovery – Connected to backup servers and removed backup jobs from Veeam to prevent recovery prior to ransomware deployment (“deleted backup jobs” and “removed backups from the configuration database”).
  • [T1486 ] Data Encrypted for Impact – Deployed Lynx ransomware (w.exe) to encrypt data on backup and file servers with specific arguments (e.g., –dir, –mode fast) (“deployed and executed Lynx ransomware on the backup server” and example command “w.exe –dir E: –mode fast –verbose –noprint”).
  • [T1136.002 ] Domain Account – Created new domain accounts mimicking legitimate users and assigned them privileged group memberships (“created two new accounts: ‘administratr’ and another designed to mimic an existing domain account…added them to privileged security groups, including Domain Administrators”).
  • [T1059.001 ] PowerShell – PowerShell observed used for command execution and living-off-the-land activities (“Throughout the intrusion, the threat actor used … PowerShell to execute commands on compromised hosts”).
  • [T1018 ] Remote System Discovery – Identified virtualization infrastructure and hypervisors via registry queries and Hyper-V MMC (“launched virtmgmt.msc (the Hyper-V management console)” and registry queries for Hyper-V hostnames).
  • [T1016 ] System Network Configuration Discovery – Ran ipconfig, route print and related commands to gather network configuration (“ipconfig” and “route print” used during discovery).
  • [T1087.001 ] Local Account – Created local-like accounts and examined local users/groups via lusrmgr.msc (“launched lusrmgr.msc…advanced management of local users and groups”).

Indicators of Compromise

  • [IP Address ] RDP source and follow-up access – 195.211.190[.]189 (initial RDP logon), 77.90.153[.]30 (subsequent RDP access).
  • [Domain/Service ] Exfiltration endpoint – temp.sh (upload URI used for exfiltrating archives).
  • [File Hashes ] Tooling and payloads – netscan.exe (SHA256 example: 3073af95dfc18361caebccd69d0021a2), nxc.exe (SHA256 example: 7532ff90145b8c59dc9440bf43dc87a5), w.exe (Lynx) (SHA256 example: e2179046b86deca297ebf7398b95e438) and additional hashes listed for each file (and 2 more hashes each).
  • [File Names ] Dropped/executed binaries – netscan.exe (SoftPerfect Network Scanner), nxc.exe (NetExec), w.exe (Lynx ransomware) – used for discovery, SMB enumeration, and ransomware deployment respectively.
  • [User/Hostname ] Observed username/host – hostname DESKTOP-BUL6K1U seen in Windows logon events and attacker-created accounts like “administratr”, “Lookalike 1”, “Lookalike 2”.

Read more: https://thedfirreport.com/2025/11/17/cats-got-your-files-lynx-ransomware/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint